System and method for provisioning universal stateless digital and computing services

ABSTRACT

A service provisioning system and method for providing remote access to digital services over a communications network, comprising a plurality of client devices connected to the communications network for requesting digital services from a plurality of service centers and presenting output from the digital services. The network operation center connected to the communications network authenticates client devices and users, manages sessions, and processes requests for digital services. A connector associated with each service center establishes a session with a client device specified by the network operation center and encapsulates the native protocols of the digital services within a remote interactive protocol. The remote interactive protocol includes information for generating a human-perceptible presentation on the client device, to provide a remote access to the digital services without modifying the hardware and software infrastructure of the service centers.

RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.10/328,660, entitled “SYSTEM AND METHOD FOR PROVISIONING UNIVERSALSTATELESS DIGITAL AND COMPUTING SERVICES,” filed on Dec. 23, 2002, whichclaims priority under 35 U.S.C. §119(e) to U.S. Provisional ApplicationSer. No. 60/381,532, entitled “SOFTWARE AND SERVICE PROVISIONINGARCHITECTURE FOR UNIVERSAL STATELESS DELIVERY OF ANY DIGITAL ANDCOMPUTING SERVICES,” filed on May 17, 2002, each of which is hereinincorporated by reference in its entirety.

BACKGROUND OF INVENTION

The present invention relates generally to remote access of digital dataand services and, more particularly to a service provisioning systemarchitecture for providing universal stateless digital and computerservices.

The configuration of corporate computer systems has evolved over thepast fifty years since the introduction of the software programmabledigital computer. In the first multi-user systems, some number of users,such as corporate employees, etc., accessed the processing power of oneor more centrally located mainframe computers using “dumb terminals”connected to the mainframe computers via a communications network. Themainframe computers provided all processing power and data storagefacilities. The dumb terminal was used for and limited to inputting datato the mainframe computers and displaying output data generated by themainframe computers. That is, the dumb terminal did not have thecapability of processing or storing data locally. Essentially, the dumbterminal was useless unless it was connected to the mainframe computersvia a dedicated, mainframe and installation-specific communicationsnetwork.

However, the high cost associated with acquiring and maintaining themainframe computers fueled the availability and popularity of thedesktop or personal computer (“PC”) in the 1980s. Initially configuredas a stand-alone platform, a PC is a self contained computing systemwhere all processing is performed locally, and all applications and dataare executed and stored locally. The relatively low cost of PCs enabledsingle users and small businesses to readily acquire and utilize theprocessing power of the PCs instead of relying on massive, centrallylocated mainframe systems. However, users could not easily share datawith other users since their PCs were not part of a centralized networkand did not necessarily use the same operating system. Also, since eachPC needed its own local copy of any software to be executed,incompatible versions of the same software application in differentpersonal computers prevented users from communicating and sharing datawith each other.

These connectivity and compatibility problems with the standalone PCsgave rise to client/server systems. The PCs (or clients) were connectedto each other via a private communications network, such as a corporatenetwork, and to a common server storing data and applications. Theserver maintains the common data and provides copies of the data to theclients upon request. However, since the client/server systems rely onthe processing power of the PC, the hardware and software components ofeach PC of a client/server network must be constantly synchronized andtherefore upgraded. In many corporate settings, PCs are numerous andwidely distributed throughout and among diverse locations. Depending onthe age and type of the PC system, certain hardware components, such asmicroprocessors, random access memory (RAM), hard disk devices, etc.,can be upgraded or replaced without replacing the entire PC system.However, even when it is feasible to upgrade the PC systems, the cost ofupgrading thousands of PC systems can be staggering.

When the PC system can no longer be upgraded, the entire system must bereplaced. For example, newer versions of software applications oroperating systems may require hardware capabilities that cannot besatisfied by existing PC systems. Generally, a PC system is consideredto be obsolete in three to five years, thereby necessitating costlyreplacement of thousands of PCs as often as every three years.

In addition to the cost of purchasing new hardware and software, thecost of resolving the software and hardware compatibility problems inthe client/server system can be substantial. For example, many softwareapplications are not readily backwards compatible, thereby imposing asignificant burden on the corporations to maintain compatible versionsof software applications on all PC systems. The administrative effortand the cost to upgrade each system, provide licensed copies ofsoftware, install and maintain the software is the largest portion ofthe recurring costs of running a client/server network in a corporation.Even with remote administration capabilities, the tracking andcataloging of software applications can be very onerous.

Installation of new software also exposes the corporate user to securityrisks. The integrity and security of the corporate network can be easilybreached by hackers or disrupted partially or in total by inadvertent orintentional introduction of computer viruses when a user installs ordownloads unauthorized and even authorized software application orfiles.

Individuals who are away from their office often have a continuing needto gain access to their corporate networks. They may need to accessfiles, e-mails, applications and programs running on their “desktop”,etc. (“Desktop” refers to a top level, local graphical user interfaceenvironment customized by a user to display and provide access to data,folders and applications.) One approach is to use laptop personalcomputers to enable users to access the corporate network to remotelyaccess their files and e-mails. That is, if appropriate communicationssoftware is installed on each client laptop PC, the users can remotelyaccess emails and the corporate network to transfer files from/to thenetwork server through a dial-up telephone line (or a broadbandconnection, such as a digital subscriber line (DSL), T1, cable, etc.).All application programs reside and locally execute on the local clientlaptop PC. While this approach is simple, it necessitates that each andevery such software application be installed, configured and thenmaintained on each laptop PC. Consequently, over time, this approach,particularly in view of the on-going support costs of the installedsoftware applications, can become quite expensive.

Another approach uses a traditional virtual private network (VPN) toprovide wide area network (WAN) connectivity from a remote user locationto a central corporate local area network (LAN). A VPN WAN connectioncan implement an Open System Interconnection (OS) layer 2 extensionbetween the LAN and the remote user location. A remote client PCconnected through a VPN to a LAN appears as if it is directly connectedto the LAN. However, a VPN connection requires expensive VPN terminationequipment (or a client-site VPN router) located at each end of theconnection, or VPN client software installed and configured at theclient machine. In either case, the VPN terminator provides layer 2packet processing as well as appropriate packet encryption/decryptionfunctionality. Although either PC operating system or client based VPNsoftware can mitigate the cost of the VPN terminator, it both requiresconsiderable packet processing to assemble and disassemble packets,imposing a significant processing burden on the PC. Accordingly, aseparate dedicated VPN terminator at the remote user location is oftenrequired to support VPN connectivity with required levels of securityand reliability without imposing undue processing loads on the client PCitself. Thus VPN equipment is not only expensive, but tedious toconfigure and costly to administer and maintain.

In all of the above cases, sensitive corporate data are transferred andduplicated between the secure corporate network and the PC/laptop. Oncedata is downloaded and physically copied, no access or transportsecurity system can prevent unauthorized, uncontrolled distribution andmisuse of the data, which happens without the knowledge of thelegitimate data owner.

Still another approach to extending the office environment to remoteuser locations utilizes an application service provider (ASP) modelrequiring the installation of specialized server software in the networkserver, such as Citrix Corporation's MetaFrame® software usingindependent computing architecture (ICA®) protocol. The network serversituated on the LAN would function as an ASP by hosting multiple virtualmachines, to various different remotely located client PCs.Alternatively, Microsoft Corporation's Windows® Terminal Services (WTS)using remote desktop protocol (RDP) can be utilized to provide multiplevirtual machines. However, both the MetaFrame® and WTS software imposeconsiderable processing load on the client PC, and are vulnerable tonetwork faults and security breaches, such as “man-in-the-middle”attacks. Additionally, the ASP-based approach, at best, provides alimited remote execution functionality. The prior art systems weredesigned and developed to overcome the bandwidth limitations of theprior communications networks. Current technological advances havedramatically increased the bandwidth of the communications network. Thenetwork bandwidth is increasing faster than microprocessor speed anddoubling approximately every nine months, thereby reducing the value ofthe prior art systems and technologies, effectively rendering themobsolete. In view of the shortcomings of the prior systems and networks,it is desirable to provide a system and method for enabling a user tosecurely access his client machine, including desktop, softwareapplications, email, data files, etc., from anywhere in the world as ifhe is still in the office without compromising security or investing innew hardware/software infrastructure.

Managing information systems efficiently has never been more difficultor more essential for success. As the cost of ownership for desktopsystems escalates, corporations need ways to reduce purchase and upgradecosts, administration and maintenance expenses. However, these savingscan't result in a loss of functionality or performance. An unrestrictedaccess to high performance applications remains a critical requirementin managing information systems efficiently. Thus, it is desirable tohave a service provisioning system architecture that can provide anunrestricted, native and secure remote access without modifying or withminimal changes to its existing hardware and software infrastructure.

SUMMARY OF INVENTION

Therefore, it is an object of the present invention to provide a serviceprovisioning system architecture that delivers universal statelessdigital and computing services and overcomes the above-notedshortcomings.

It is another object of the present invention to provide a serviceprovisioning system architecture that provides a secure, reliable, rich,high-performance access to corporate system, such as legacy enterprisedata center, with no or minimal modification to the existing hardwareand software infrastructure. The corporate data center can be outfittedwith a connector or connection service device to provide a secure remoteaccess from anywhere in the world.

The inventive system and method enables a user of a client device,preferably a stateless client device, to access remote resourcesincluding applications and data. Thus, without requiring a local copy ofsoftware or data or corresponding hardware resources, a user can surfthe Internet, and access his desktop operating system, files andapplications. The user can further access other digital services, suchas digital video and music broadcasts, Internet protocol (IP) telephonyand the like, using a client device much like a television. Preferably,the system includes an authentication system or mechanism, such as asmart card.

By defining a new way of delivering digital services, the inventiveservice provisioning system architecture offers multiple levels offunctionality, security and long-term investment protection at asignificantly lower overall cost than prior approaches, and allowsdelivery of any digital service to a remote location without requiring alocal copy of the data, any application or supportive hardware.

In accordance with an embodiment of the present invention, the inventivesystem delivers digital services from an existing network, system ordata center through a single “Digital Dial Tone” network withoutcompromising security or modifying any of the functions, operations andhardware/software infrastructure or the existing network. The serviceprovisioning system architecture of the present invention connectssimple, low cost, low maintenance client devices, that can beincorporated in various forms, such as desktops, portable, wireless, orembedded in existing legacy appliances such as TVs, PDAs and PCs.

In accordance with an embodiment of the present invention, the serviceprovisioning system provides remote access to digital services over acommunications network, comprising a plurality of client devicesconnected to the communications network for requesting digital servicesfrom a plurality of service centers and presenting output from thedigital services. The network operation center connected to thecommunications network authenticates client devices and users, managessessions, and processes requests for digital services. A connectorassociated with each service center establishes a session with a clientdevice specified by the network operation center and encapsulates thenative protocols of the digital services within a remote interactiveprotocol. The remote interactive protocol includes information forgenerating a human-perceptible presentation on the client device, toprovide a remote access to the digital services without modifying thehardware and software infrastructure of the service centers.

In accordance with an embodiment of the present invention, the serviceprovisioning method provides a secure remote access to digital servicesover a communications network. The method connects each service centerto a connector to provide one or more digital services over thecommunications network, the connector encapsulating respective nativeprotocols of the digital services within a common remote interactiveprotocol. The method receives a request for a digital service availableon a service center from a user on a client device over thecommunications network. The network operation center authenticates theuser and the client device. If the user and the client device areauthenticated as a valid user and a valid client device, a deviceconnection to the client device is established to initiate a session.The method translates input/output commands of the requested digitalservice into the remote interactive protocol by the connector, therebymaking the requested digital service on the service center remotelyaccessible to the valid user on the valid client device withoutmodifying the hardware and software infrastructure of the data center.

The present invention may be embodied in a network of computer systemsincluding a set of dedicated servers adapted by a set of softwarecomponents, all configured according to the service provisioning systemarchitecture. This architecture has the ability to connect, generate,manage and deliver a digital service session to a variety of clientdevices connected to the network, and enables the “hot swapping” or“switching” of such sessions between devices by simply authenticatingthe user through a smart card or other applicable access controltechnology. By reason of the unique and novel aspects of the presentinvention, user interaction with each service is unaffected by the type,location or connectivity of the device used.

Various other objects, advantages and features of this invention willbecome readily apparent from the ensuing detailed description and theappended claim.

BRIEF DESCRIPTION OF DRAWINGS

The following detailed description, given by way of example, and notintended to limit the present invention solely thereto, will best beunderstood in conjunction with the accompanying drawings in which:

FIG. 1 is an exemplary block diagram of the service provisioning systemarchitecture of the present invention;

FIGS. 2A-2D are exemplary screen shots of the Meta-Desktop in accordancewith an embodiment of the present invention;

FIG. 3 is a flow chart of an authentication process in accordance withan embodiment of the present invention; and

FIG. 4 is a flow chart of a process for transferring control of a clientdevice to another NOC in accordance with an embodiment of the presentinvention.

DETAILED DESCRIPTION

The present invention is readily implemented using presently availablecommunication apparatuses and electronic components. The invention findsready application in virtually all communications systems, including butnot limited to intranet, local area network (LAN), wireless LAN (WLAN),wide area network (WAN), Internet, private and public communicationsnetworks, wireless, satellite, cable network or other online globalbroadcast, point-to-point, and other networks.

The present invention provides the basis for a secure, reliable, rich,high-performance access to a wide variety of computational,communications, entertainment and other digital services (collectivelyreferred to herein as “digital services”) while providing enhancedsecurity and without requiring a costly conversion to a newhardware/software infrastructure. The system utilizes low-cost,low-maintenance devices to deliver digital services over a wide varietyof communications networks worldwide. The inventive service provisioningsystem architecture is operable to manage multiple user sessions from avariety of different client devices. The system continuously maintainseach session, thereby permitting the user to readily access his sessionfrom different locations and client devices.

In accordance with an embodiment of the present invention, as shown inFIG. 1, a service provisioning system architecture 100 comprises one ormore client devices 400, service centers 300 and network operationcenters (NOC) 200 connected to each other via a communications network,such as the Internet or a wide area network (WAN) 110. The serviceprovisioning system architecture 100 can utilize virtually anycommunications system, such as intranet, local area network (LAN),wireless network including wireless LAN (WLAN), wide area network (WAN),Internet, private or public communications network, satellite network,cable network, other online global broadcast network and the like. Inaccordance with an aspect of the present invention, the serviceprovisioning system architecture 100 includes security tokens associatedwith each authorized user of the universal stateless digital andcomputing services.

In accordance with an embodiment of the present invention, the WAN 110is a packet network using, for example, transmission controlprotocol/Internet protocol (TCP/IP). Since all processing andcomputations are centrally performed at the service center(s) 300, theWAN 110 should support a desired level of quality of service (QOS) toinsure timely response time and timely delivery of data between theclient devices 400 and the service centers 300. For example, in order toensure that the user does not experience an unacceptable or evennoticeable delay, the round-trip delay imposed by the WAN 110 should beless than, for example, 60 msec. Accordingly, the total time from userentering the inputs to the rendering of the textual or graphicalrepresentation of the result (i.e., round-trip delay) should be belowthe user's threshold of perception, i.e., about a hundred milliseconds.Preferably, the QOS demands on the WAN 110 as characterized byround-trip delays are less than 60 ms on average and less than 100 ms inthe worst case. It is appreciated that from user standpoint andperception, a higher average delay with a low variance is generallypreferred over a lower average delay with a high variance.

Consistent with current and foreseen architecture of globalcommunications networks, the bandwidth requirements of WAN 110 arehighly asymmetrical for typical computing applications. The remoteprocessing and rendering aspect of the inventive service provisioningsystem architecture 100 typically generates considerably more downstreamtraffic (i.e., data traffic from the service center 300 to the clientdevice 400) than upstream traffic (i.e., data traffic from the clientdevice 400 to the service center 300). In typical application, thebandwidth demand from upstream traffic is on the order of a few kilobitsper second (Kbps) whereas the downstream traffic averages between a fewhundred Kbps to several Mbps. For example, in a digital broadcastservice application, the traffic consists mainly of broadcastvideo/audio data from the service center 300 to the client device 400(i.e., downstream traffic) at 1.554 Mbps after the user selects aparticular broadcast or channel similar to the over-the-air broadcasttelevision and cable television, the latter requiring a single upstreamtransmission of less than one kilobyte.

Remote devices 430, e.g., CD-ROMs, video cameras, scanners, printers,etc., connected to the client devices 400 can increase the upstreamtraffic to impose additional bandwidth requirements on the WAN 110.However, these upstream bandwidth demands on WAN 110 can be easilyquantified and tend to be constant, frequently being isochronous.

In accordance with an embodiment of the present invention, the inventiveservice provisioning system architecture 100 utilizes industry standardcompression technology to transmit audio and/or video content (e.g.,Moving Picture Experts Group (MPEG), MP3 and the like). Accordingly,bandwidth demands on the WAN 110 from multimedia and telephonyapplications can be defined. The availability of enhanced WANperformance, e.g., a higher WAN QOS guarantee, may reduce the cost ofclient devices 400 due to lower memory and data buffering requirements.For example, the approximate bandwidth requirements for variousmultimedia applications on the WAN 110 include: 160 Mbps foruncompressed analog National Television Standards Committee (NTSC) videoand audio, 2 to 7 Mbps for compressed DVD-quality video, 384 Kbps to 1Mbps for VCR-quality video using the latest coder/decoder (codec), 1.5Mbps for raw (e.g., pulse width modulation (PWM) encoded) CD-qualityaudio and 128 Kbps for MP3-compressed music. In contrast, the bandwidthrequirement can be as little as 8 Kbps for simple telephony gradecompressed audio.

In accordance with an embodiment of the present invention, the inventiveservice provisioning system architecture 100 can use various publicand/or proprietary remote interactive protocols to ensure userauthentication and privacy, preferably through end-to-end encryption.For example, the present system can utilize protocols such as remotedesktop protocol (RDP), independent computing architecture (ICA®),hypertext transfer protocol (HTTP), stateless low-level interfacemachine (SLIM), appliance link protocol (ALP), etc., as the remoteinteractive protocol as long as the protocol provides userauthentication and enables the user to securely connect and disconnectto/from the session. WAN 110 preferably comprises a virtual privatenetwork (VPN) service to segregate data traffic and to provide a highlevel of network performance.

Various digital services available from the service centers 300 can beaccessed by the users using the client devices 400. The client devices400 can be located in corporate offices, homes, hotels, airplanes, cars,other in-transit or franchised commercial spaces and the like. Theinventive service provisioning system architecture 100 of the presentinvention contemplates users employing a variety of different clientdevice implementations and a variety of different type of client devicesto access the digital services available from and supported by servicecenters 300. These client device implementations can range from ahardware-intensive solution, such as a stateless device (for example, avideo display terminal), to a software based solution wherein terminalemulation software is installed on a standard PC (i.e., a statefuldevice) to emulate a client device 400. The client devices 400 can rangefrom simple “walkman®-like” personal audio playback devices tofull-function “PC-like” devices that are comparable to high-endworkstations in both functionality and performance. Accordingly, clientdevices 400 may include but are not limited to kiosks, “dumb” terminals,personal digital assistants (PDAs), laptop computers, desktop PCs,network PCs, wireless handheld PCs, smart telephones, set top boxes(STB), TV sets, and the like.

In accordance with an embodiment of the present invention, clientdevices 400 can comprise various input/output peripheral equipment,e.g., displays, keyboards, speakers, microphones, smart card readers,etc., each connected to WAN 110. Preferably, client device 400implements a remote interactive protocol (or a subset of a remoteinteractive protocol, i.e., “light” or “mini” version of the protocol)to communicate with the NOC(s) 200 and service center(s) 300 on the WAN110. Client devices 400 can each comprise a combination of the definedperipheral devices, such as one or more display devices (e.g.,full-color, black/white, LCD, direct-mapped, frame-buffer device, etc.),input devices (e.g., mouse, keyboard, touch-screen, scanner, cardreader, buttons, etc.), audio devices (e.g., speaker, microphone, etc.),video devices (e.g., camera, codec, clip/overlay region, etc.), andstorage devices (e.g., universal serial bus (USB) devices such asprinters, CDROMs, DVDs, hard disks, etc.). The specific instances and/orthe number of each class of peripheral devices associated with aparticular client device 400 are enumerated at power up and reported tothe NOC(s) 200 as part of the device authentication and connection setupprocess. In this manner, the service centers 300 can adapt theirinput/output (I/O) interfaces to support the capabilities of a specificclient device 400 configuration that is currently being used to supporta number of different types of client devices 400. For example, in thecase of bus-connected peripherals such as USB devices, all “plug” events(i.e., connect/disconnect events) are signaled or reported to NOC(s) 200via the remote interactive protocol so that appropriate action can betaken at the service center(s) 300 to communicate with the clientdevices 400. Such actions may include, for example, transmittingappropriate rendering commands to client device 400. The signaling isalso necessary because device drivers associated with the attachedbus-based peripherals reside and execute on the service centers 300 andnot on client devices 400. In accordance with an embodiment of thepresent invention, the client device 400 encapsulates or wraps thenative protocol of the attached peripheral device (i.e., native USBprotocol) within an appropriate remote interactive protocol and passesthe native commands between the attached peripheral and correspondingservice center 300, i.e., the one currently in communication with andproviding service to the client device 400. In accordance with anembodiment of the present invention, the remote interactive protocoloverlays or operates “on top” of the existing native protocol to therebyenable any device to connect and communicate with the serviceprovisioning system architecture 100. The actual policy defining theoperation of the attached peripheral device is set by the correspondingservice center 300. For example, the responsible service center 300determines how to interact with, i.e., “what to do” with the attachedperipherals and how to respond to various events such as hotplug/unplug, device-specific exceptions, etc.

In accordance with an embodiment of the present invention, a proxydevice 410 can be utilized to enable a non-compliant client device 420to connect to the WAN 110 and communicate with the service centers 300and the NOC 200. Non-compliant client devices 420 may represent devicesthat do not currently itself support the remote interactive protocol ofthe service provisioning system architecture 100. To provide appropriateinterface, the proxy device 410 appears to the WAN 110 as a clientdevice 400 and acts as a protocol converter or “tunnel device” for thenon-compliant client device 420. For example, instead of installing theemulating software on a “dumb” terminal, the “dumb” terminal can beconnected to a proxy device 410 which is connected to the WAN 110,thereby enabling the “dumb” terminal to communicate with the NOCs 200and the service centers 300 via the proxy device 410 and WAN 110.

For example, the proxy device 410 can be used to connect a non-complaintthin client to the WAN 110 by converting the thin client's nativeprotocol to its analog in the remote interactive protocol. Accordingly,from the service provisioning system architecture's point of view, thenon-compliant thin client is just another client device 400 connected tothe WAN 110. Whereas, from the thin client's point of view, it is simplyconnected to a standard thin client server. Therefore, the serviceprovisioning system architecture 100 can connect and communicate withexisting network, device or system with no or only minimal modificationto the hardware and/or software infrastructure of the existing network,device or system. Accordingly, the existing network, device or system'sfunctions, operations and infrastructure have not changed, but itscapabilities have been enhanced and extended by connecting to theservice provisioning system architecture 100. By connecting to theservice provisioning system architecture 100, a corporation, anorganization or an individual can now provide a world-wide remote accessto the services available on its existing network, device or systemwithout compromising security or investing in new hardware/softwareinfrastructure, such as new client-server system, firewalls, etc.

In service provisioning system architecture 100, the “real” computingresources and the data associated with the services reside in theservice centers 300. It is appreciated that a service center 300 can bea legacy enterprise data center outfitted with one or more connectors orconnection service modules 310, or a special site set up specifically tosupport a given service, such as video conference, Internet protocol(IP) telephony, voice messaging, cable television, digital music,digital movie, e-commerce, etc. The service provisioning systemarchitecture 100 enables the service provider to offer its services byestablishing a service center 300 which connects its system to the WAN110 via a connector 310. The connector or connection service module 310encapsulates or wraps the existing native protocol of the correspondingservice center 300 within an appropriate remote interactive protocol.This enables the service center 300 to transmit its native commands toclient devices 400. Also, connector or connection service module 310 ofthe service center 300 unwraps or disassembles the remote interactiveprotocol messages or packets containing the native commands of theclient devices 400 destined for service center 300. In accordance withan embodiment of the present invention, all services offered by theservice centers 300 are delivered to the client devices 400 at thedirection of, and under the continuous control of, the NOC(s) 200,described hereinbelow.

In accordance with an embodiment of the present invention, serviceprovisioning system architecture 100 enables a service provider toconvert a data center into or establish a service center 300 with no oronly minimal changes to its existing hardware and softwareinfrastructure. For example, a corporation can seamlessly convert itslegacy enterprise infrastructure into a service center 300 and connectthe service center 300 to WAN 110 via a connector 310 to provide itsemployees a secure remote access to a portion or all of the servicesavailable on its legacy enterprise infrastructure. The remoteinteractive protocol of the service provisioning system architecture 100operates “on top” of the native protocol of the legacy enterprise systemto provide a secure remote access to authorized employees. ForUnix-based servers, remote access to applications can be provided byeither “xhost'ing” the applications or running a special “virtualframebuffer” driver in the server's X11 server software. For MicrosoftWindows®-based servers, remote access to applications can be provided byenabling the windows terminal server function and using Microsoft's RDPprotocol. Both of these methods provide remote access to applicationsthat run on the servers within the service center 300. In either case,the service center 200 has one or more connection service modules 310that are connected to the LAN 320 (or the enterprise's Intranet) on oneside and to the WAN 110 on the other side. Alternatively, the connectoror connection service module 310 can be connected to the WAN 110 via afirewall device (not shown). The connection service module or connector310 maintains a secure connection to one or more NOCs 200, and awaitsinstructions to securely connect one of its offered services to a clientdevice 400 specified by one of the NOCs 200. Accordingly, everythingthat was previously available directly from the data center (e.g., userapplications, e-mail clients, voice processing, internet connections,etc.) is now remotely accessible by a remote user, preferably using asmart card (described hereinbelow) from anywhere, yet, the data neverexits the perimeter of the service center 300. Hence, there is no needfor a laptop or proprietary personal digital assistants (PDAs), whiletraveling, although they can still be used. With the serviceprovisioning system architecture 100, businesses and corporations nolonger need to purchase and maintain desktop or laptops, providetechnical and software support at the individual client device location,thereby saving substantial cost, time and overhead while providing anunprecedented level of security and performance.

In accordance with an embodiment of the present invention, connectionservice module 310 comprises software and hardware components, such as aset of one or more low cost, horizontally scalable servers 315 thatconnect each digital service to the WAN 110. For example, the digitalservice can represent computers or servers running a specific operatingsystem (i.e., Windows®, Macintosh™, Linux™, Unix™, Solaris™, etc.),digital television broadcasts, IP telephony and the like. Connectionservice module 310 act as the local user interface for each service,interpret the display/sound and user command set for each service andconvert the command set to and from the remote interactive protocolformat. Once a session is established between a client device and aservice center 300, connection service module 310 uses the client device400 to receive and display the human perceptible output of a subscribedor requested digital service and transmit basic, atomic inputs to thesubscribed or requested digital service. Connection service module 310or servers 315 collect the video or display image (i.e., pixels), soundand I/O data sets of a digital service and generates a stateless sessionwith the client device 400. Servers 315 are “appliance-like” in nature,requiring minimal maintenance and performing only a single function.That is, the servers 315 only manage device connections betweenapplications or services running on the servers 330 within the servicecenter 300 and the client devices 400 requesting such service.

The network operations center (NOC) 200 is the gateway to all of theservices offered by various service centers 200 connected to the WAN110. The NOC 200 authenticates all connection requests received from theclient devices 400 and securely transfers the connection to theappropriate service center 300 to deliver the requested services to theclient devices 400. Accordingly, the service provisioning systemarchitecture can support multiple NOCs 200 to support a large number ofclient devices. In accordance with an embodiment of the presentinvention, the number of NOCs 200 is not only vertically scalable, butthe functions within a single NOC are also horizontally scalable (numberof hardware/software components within the NOC 200 can be increased toexpand the NOC's capabilities).

In accordance with an embodiment of the present invention, the NOC 200comprises one or more authentication service modules 210, aMeta-Desktop™ service module 220, a user database 230 and a clientdatabase 240. The authentication service module 210 responds toauthentication requests from the client devices 400 and executes theauthentication process of the remote interactive protocol to setup andmaintain valid authenticated connections between the client devices 400and the NOC 200. The authentication service module 210 stores andmaintains valid client devices, user IDs and their associated publickeys in the user database 230 and the client database 240. Each clientdevice 400 can be associated with a particular NOC 200. Alternatively,each client device 400 can be associated with a primary NOC 200 and asecondary NOC 200 in case the primary NOC 200 is unavailable. Turningnow to FIG. 3, there is illustrated an authentication process inaccordance with an embodiment of the present invention. The clientdevice 400 can either transmit its authentication request directly tothe assigned NOC 200 (i.e., www.xds.net, www.xds.cojp, www.xds.de, etc.)or broadcast its authentication requests on the WAN 110 to be receivedand processed by the assigned NOC 200 in step 1000. Preferably, theclient device 400 uses the public key associated with the assigned NOC200 to encrypt the authentication request before transmitting orbroadcasting its authentication request to the assigned NOC 200 in step1000.

Each NOC 200 is assigned a unique private key. Using the NOC's privatekey, the authentication service module 210 decrypts the authenticationrequests or messages received from the client devices 400 in step 1010.The authentication service module 210 transmits or broadcasts anencrypted response to a particular client device 400 by encrypting theresponse using the public key that is associated with that client device400 or a user on that client device 400 in step 1020. Preferably, theinventive service provisioning system architecture 100 employs symmetricpublic key exchange wherein the authentication service module 210 hasthe public key associated with a user or the client device 400 and theclient device 400 has the public key associated with the authenticationservice module 210. That is, the client device 400 encrypts itsauthentication requests using the public key that is associated with theassigned NOC 200 and decrypts the response or messages received from theassigned NOC 200 using its or user's private key. This symmetricauthentication procedure ensures that valid NOC 200 is in communicationwith a valid client device 400.

Once the authentication request and response have been successfullyexchanged between the requesting client device 400 and theauthentication service module 210, the requesting client device 400 andthe authentication service module 210 share a unique value (preferably,a value that is difficult to determine or guess) that can be used as asession key or initial session key in step 1030. In accordance with anembodiment of the present invention, each client device 400 includes asmart card reader 430. Each smart card uniquely identifies a user andstores user information, such as user ID, user's private key, NOC'spublic key and the like. A user inserts his smart card into the smartcard reader 430 of the client device 400 to initiate a session betweenthe client device 400 and a NOC 200. The smart card generates anauthentication request based on the client ID of the client device 400and encrypts its authentication request using its stored public key anddecrypts the response or messages received from the NOC 200 using itsstored private key. Once the authentication request and response havebeen successfully exchanged, the smart card and the authenticationservice module 210 now share a session key or initial session key toestablish a session with each other. The use of the smart card enables aNOC 200 and a thin or “dumb” client device 400 (i.e., a low cost clientdevice lacking encryption and decryption capabilities) to authenticateeach other to establish a session.

Once the session key and the authentication of the requesting client 400has been established, the authentication service module 210 passes offor provides the client ID associated with the requesting client device400 to the Meta-Desktop service module 220 in step 1040. TheMeta-Desktop service module 220 establishes a device connection with therequesting client device 400 and displays a customized Meta-Desktop onthe requesting device 400 in step 1050.

In accordance with an embodiment of the present invention, theMeta-Desktop module 220 comprises one or more Meta-Desktop servers 225.The Meta-Desktop service module 220 searches the client database 240 fora client profile based on the client ID supplied by a remote user'ssmart card and reads or retrieves the client profile to determine theclient device type, the location of the client device (e.g., geographiclocation and/or network location such as IP address), the attachedperipheral devices and the like. Based on the client profileinformation, the Meta-Desktop module 220 generates a Meta-desktopsession using an appropriate Meta-desktop server 225 (e.g., one havingspare capacity) and establishes a secure device connection with therequesting client device 400 to display the client-specific customizedMeta-Desktop on the requesting client device 400. As a security measure,the Meta-Desktop service module 220 preferably initiates the deviceconnection to the client device 400 to ensure that the Meta-Desktopservice module 220 is in communication with a valid and authenticatedclient device 400.

The Meta-Desktop is a top-level selection interface that is used tolaunch the user into a specific service connection, i.e., connecting theclient device 400 to a specific service center 300 to receive aparticular digital service. In accordance with an aspect of the presentinvention, since the Meta-Desktop is the first screen that is displayedto the user by the client device 400, the Meta-Desktop offers anopportunity to provide advertising 450, branding and otherservice-related functions along with user-customizable features as shownin FIG. 2A. The Meta-Desktop preferably includes icons 440 representingvarious services available to a specific authenticated user on aspecific authenticated client device 400 as shown in FIGS. 2A-2D. Forexample, even though a user is subscribed to the Internet telephonyservice, he may not be able to access the telephony service if theclient device 400 is not equipped with a microphone. In accordance withan embodiment of the present invention, based on the client profileinformation and information received from the client device 400, theMeta-Desktop service module 220 can customize or tailor the Meta-Desktopcontent for a specific client device, a specific user, a specificlocation of the user, a specific time, etc. Preferably, the Meta-Desktopmodule 220 transmits, pushes or broadcasts dynamically changing andconstantly updated displays to the client devices 400.

Although the service provisioning system architecture 100 has beendescribed herein as providing the Meta-Desktop service, it isappreciated that the Meta-Desktop service is merely one of many servicesthat can provided by the NOC 200. Accordingly, as with the Meta-Desktopservice, authentication service module 210 can authenticate, connect andmanage any digital service to the client device 400 via a secure deviceconnection. For example, one authentication module 210 can managedigital service A, such as the Meta-Desktop service, and anotherauthentication module 210 can manage digital service B.

When a user selects a particular service from the Meta-Desktop displayedon the client device 400 (e.g., clicking on an icon 440 associated withthat particular service) in step 1060, the serving or assigned NOC 200that is securely connected to the client device 400 determines theservice center 300 that is associated with the selected service. Theserving NOC 200 uses its secure connection to the connection servicemodule 310 of the desired service center 300 to initiate a new deviceconnection (also referred to herein as the render connection) between aserver 330 and the requesting client device 400 in step 1070. Theserving NOC 200 manages the session between the server 330 of theconnection module 310 and the requesting client device 400 and maintainsa record of the session (i.e., current status or state of the session).That is, the serving NOC 200 provides the client profile information ofthe requesting client device 400 to the connection service module 310and instructs the connection service module 310 to establish a sessionwith the requesting client device 400 by initiating a device or renderconnection between the server 330 providing the requested service andthe requesting client device 400 over the WAN 110. This approachprovides enhanced security by ensuring that the connection servicemodule 310 initiates all outgoing connections to the client devices 400,and no incoming connections to the service center 300 are permitted.That is, no client devices 400 can call into or initiate connections tothe service center 300. Also, the NOC 200 terminates or drops its deviceconnection to the client device 400 that was providing the Meta-Desktop.The connection service module 310 translates the input/output commandsfrom the application service into the remote interactive protocol formatand manages the connection to the client device 400. That is, theconnection service module 310 converts to the format (resolution, colordepth, keystrokes, mouse coordinates etc.) appropriate for each givenclient device 400 for any of the digital services available on theservice center 300. It is appreciated that no translation is required bythe connection service module 310 if the application supports nativeremote interactive protocol, e.g. via the X11 virtual device driversoftware.

After the NOC 200 initiates the establishment of a session between aparticular service center 300 and the client device 400, the requestingclient device 400 transmits user inputs to the appropriate servicecenter 300 with over the WAN 110 in step 1080. Upon receipt, the servicecenter 300 processes the inputs and/or performs the computations togenerate output/results in step 1090. The service center 300 transmitsthe rendering commands to the client device 400 in step 1100.

In accordance with an embodiment of the present invention, each NOC 200is operable to manage multiple sessions with a variety of client devices400. NOC 200 dynamically updates the display format of each Meta-Desktopbased on the type of client device 400 that is currently being used bythe user to access the digital service from the service provisioningsystem architecture 100.

Service provisioning system architecture 100 enhances security bymaintaining a secure (e.g., TCP-based) connection between the clientdevice 400 and one of the NOCs 200. The lifetime of the authenticationperformed on initial user token insertion, i.e., inserting the smartcard into the client device 400 to access the digital service,corresponds to the lifetime of the connection that is establishedbetween the client device 400 and the NOC 200. As long as thisconnection is maintained, the NOC 200 sends a “keep-alive” message tothe connection service module 310 of the service center 300. Preferably,as an additional security precaution, the connection service module 310terminates the device connection to the client device 400 if theconnection service module 310 fails to receive the “keep-alive” messagewithin a predetermined period of time. It is appreciated that the“keep-alive” function is part of the remote interactive protocol.

As part of the authentication handshake or process, the authenticationservice module 210 performs a public key transaction to ensure theauthenticity of both individual users and the specific client device400. However, a secure distribution of the keys is a problem in a publickey system, thereby a secure system is necessary to ensure that keys aresecurely distributed and safeguarded. In accordance with an embodimentof the present invention, the service provisioning system architecture100 utilizes a token-based security system that employs smart cardtechnology for distributing keys and generating session keys. Forexample, a valid user can use his smart card or integrated circuit cardto logon to his session via the client device 400 and access the variousMeta-Desktop or digital services. In accordance with an aspect of thepresent invention, the smart card/token stores user's private key, usercredentials (e.g., a client/user ID), the public key of a NOC 200, auniform resource identifier or locator (URI or URL) that can be used tolocate an appropriate NOC (e.g., the string “xtp://<uid>.xds.com/”)-,and the like. Preferably, the smart card includes a source ofappropriate pseudo-random numbers, so the service provisioning systemarchitecture 100 does not have to rely on the client devices 400 havingthese capabilities. As discussed herein, the client devices 400 may spana wide range of device capabilities from a simple I/O device to afully-functional PC.

In accordance with an embodiment of the present invention, the smartcard/token can be used to authenticate both the client device 400 andthe user. Preferably, smart card is a type used by the global system formobile communication-subscriber identity module (GSM-SIM). Foradditional security, in accordance with an aspect of the presentinvention, authentication service module 210 requires the user to entera PIN or password to unlock the smart card, similar to the conventionalautomatic teller machine (ATM) card. This helps prevent the smart cardfrom being used an unauthorized user.

For software-based client device 400 such as a web browser (i.e., onewithout a smart card reader), the inventive service provisioning systemarchitecture 100 may utilize some other authentication/validationmethod, such as using secure sockets layer (SSL) for privacy and afingerprint reader, a password or challenge/response system forauthentication.

A digital service such as a word processor application, web browser,video service, telephony connection, etc., can be connected to the WAN110 through the connector(s) or connection service module(s) 310. Once asession has been established between service center 300 and the clientdevice 400, connection service module 310 of service center 300activates the requested digital service and converts the incomingdigital data representation (e.g., a Windows desktop, display/mouse andkeystrokes) into a data representation compatible with the remoteinteractive desktop protocol format and encapsulates it with the usersession ID. That is, the connection service module 310 may generatebit-mapped pixel images of the service output, such as generatingvirtual image of the desktop, an application, etc. The connectionservice module 310 also reports its state and availability to the NOC200. However, if the user or user session does not request a digitalservice, the NOC 200 or the Meta-Desktop service module 220 merelymaintains the session alive and idle, as shown in FIG. 2A. This enablesNOC 200 to provide substantially immediate response to a user requestfor a digital service and to fully maintain the state of the servicesession at all times.

Turning now to FIG. 4, there is illustrated a process for transferringcontrol of a client device 400 to another NOC 200 in accordance with anembodiment of the present invention. Upon a user request for digitalservice (e.g., insertion of the smart card in a client device 400) instep 2000, authentication service module 210 of the NOC 200 determinesthe geographic and/or network location of the requesting client device400 (e.g., IP address) and establishes whether the distance between theclient device 400 and the service center 300 associated with the digitalservice (i.e., the serving service center 300) is within the directservice area of the service center, e.g., few thousand miles in step2010. The authentication service module 210 searches the client database240 for client profile information which contains information relatingto the client device type, attached peripheral devices, location, etc.The size of the direct service area depends on the round-trip delay orresponse time, which should be preferably below the user's threshold ofperception. If authentication service module 210 determines that therequesting client device 400 is within the direct service area of theserving service center 300, the authentication service module 210authenticates the user and the client device 400, and provides theclient ID associated with the requesting client associated with therequesting client device 400 to the Meta-Desktop service module 220 ofthe NOC 200 in step 2020. The Meta-Desktop service module 220establishes a device connection with requesting client device 400,customizes the Meta-Desktop based on the client profile information ofthe requesting client device 400, and displays the customizedMeta-Desktop on the requesting client device 400 in step 2030. When theuser selects a desired service from the Meta-Desktop displayed on therequesting client device 400 in step 2040, the NOC 200 determines andinstructs the corresponding service center 300 to establish a deviceconnection or session with the requesting client device 400 in step2050.

If the client device 400 is outside the direct service area of theservice center 300, in accordance with an embodiment of the presentinvention, the home NOC 200 encapsulates the user session and transfersand re-establishes the user session to another NOC 200 located closer tothe client device 400 (i.e., remote NOC 200) in step 2060. That is, theoriginal user session with the home NOC 200 is “frozen” or suspended. Inaccordance with an aspect of the invention, a series of dedicatedservers and software (i.e., session caching servers) encapsulates andtransfers the user session to provide global hot desking (i.e.,synchronizing the state of user session among various NOCs 200). Upon auser's return to his home service area, the home NOC 200restores/updates and synchronizes the user session in his home servicearea (i.e., stores the state of user session on the user database 230 ofthe home NOC 200) in step 2070.

The NOC 200 hosts and continuously maintains the user session, therebyenabling the user to freely switch between different types of clientdevices 400 and/or locations in real time, while maintaining the usersession on the NOC 200 and/or the connection service module 210. Theuser can continue with the session from the point that session was lastaccessed. Accordingly, if connection service module 210 does not receivethe “keep-alive” message from NOC within a predetermined period of time,the connection service module 210 terminates the render or deviceconnection to the client device 400. Similarly, if the user logs off orremoves the token or smart card from the client device 400, NOC 200continuously maintains the user session, but terminates theauthentication connection to the client device 400 and instructs theconnection service module 210 to terminate its render or deviceconnection to the client device 400. A user can re-enter his usersession merely by logging back in. If using a smart card or token, thisis done by re-entering the token into the same or different clientdevice 400. Thus, the logging on and logging off can be completed toswitch between client devices 400. Thus, a user connected to one clientdevice 400 and showing a presentation could log-off from it and log-onto another client device 400 by removing a token from the first clientdevice 400 and inserting into the second client device 400. Other than apause in the time needed to switch between the client devices the stateof the presentation is maintained and the user can then move about whilecontinuing to show the presentation. When there is a lag time betweenthe time that a user logs off and logs back onto a session, the sessionwould be cached and stored on the connection service module 310 or theNOC 200 while the NOC 200 re-establishes the authenticated and properlyconfigured connection with the new client device. Hence, there is noneed for a laptop or proprietary personal digital assistants (PDAs),while traveling, although they can still be used. With the serviceprovisioning system architecture 100, user only needs to carry his smartcard or token to remotely access his corporate network from anywhere.

The connection service module 310 receives incoming data from serviceproviders or servers 330 and parses the information for transmission tothe client devices 400. The present invention utilizes the basic userinterface of each client device 400 rather than transcoding informationbased on the features and functionalities of each client device 400 todisplay the representation of the data on the client device 400.Transcoding is a process of converting a media file or object from oneformat to another. For example, transcoding is used to convert videoformats and to fit hypertext markup language (HTML) files and graphicfiles to the constraints of mobile device and other web-enabled productswhich usually have smaller screen sizes, lower memory, and slowerbandwidth rates. The client session and computing overhead to processand manage each user session resides with the NOC 200.

The connection service module 310 transfers (i.e., uploads anddownloads) data to each client device 400. In accordance with anembodiment of the present invention, the connection service module 310is a normalized virtual media buffer operable to transfer data using arange of protocols, such as ALP, RDP, IP and the like. Preferably,connection service module 310 transfers data using the remoteinteractive protocol optimized to provide a high level of performancewith encrypted delivery of streaming data representations, such asstreaming video and audio. Those skilled in the art will appreciate thatinformation relating to streaming audio or video can be transmittedusing the User Datagram Protocol (UDP) and/or a proprietary tunnelingprotocol architecture, as these formats tolerate some data loss whilereducing data latency. Each session's graphical user interface (GUI) andvisual information can be driven by each service driver having it's ownrendering engine or windowing engine, such as Microsoft Windows® or theJava™ virtual machine.

By virtue of the present service provisioning system architecture, NOC200 can establish a secure communication path between the connectionservice module 300 and the client device 400 to provide unparalleledlevels of security to both the service providers and the users. Inaddition, the present invention enables all sessions to be available tothe user without any data traveling outside the service center 300, thusproviding secure and continuous access to the data from anywhere,including unsecured remote locations.

In view of the foregoing description, numerous modifications andalternative embodiments of the invention will be apparent to thoseskilled in the art. Accordingly, this description is to be construed asillustrative only and is for the purpose of teaching those skilled inthe art the best mode of carrying out the invention. Details of thestructure may be varied substantially without departing from the spiritof the invention, and the exclusive use of all modifications, which comewithin the scope of the appended claim, is reserved.

1. A network operating center (NOC) for assisting in connecting a clientdevice and one of a plurality of servers over a network, each of theplurality of servers providing at least one digital service over thenetwork, the NOC comprising: a client database for storing clientprofile information of client devices and/or users that have an accountwith the NOC, the client profile information having at least a clientidentification (ID) identifying respective client devices and/or usersand subscriber information indicative of services available inassociation with the client ID; an authentication service adapted toreceive client IDs from the client devices connected to the NOC over thenetwork, the authentication service capable of accessing the clientdatabase to obtain stored client IDs to assist in authenticating theclient; a service selection service configured to present, on anauthenticated client device, a display of available services based, atleast in part, on the subscriber information, and to receive indicationof a selected service from the user; and a connection service configuredto contact one of the plurality of servers over the network thatprovides the selected service to facilitate access to the selectedservice over the network.
 2. The NOC of claim 1, wherein the serviceselection service receives client information provided by the clientdevice, and wherein the service selection service customizes the displaybased on the subscriber information and/or client information.
 3. TheNOC of claim 2, wherein the service selection service customizes thedisplay based, at least in part, on an identify of a user operating theclient device.
 4. The NOC of claim 2, wherein the service selectionservice customizes the display based, at least in part, on a specificclient device operated by the user.
 5. The NOC of claim 4, wherein theservice selection service selects a display format based on the type ofthe specific client device.
 6. The NOC of claim 2, wherein the serviceselection service customizes the display based, at least in part, on alocation of the user.
 7. The NOC of claim 2, wherein the serviceselection service customizes the display based, at least in part, on atime at which the client device connected to the NOC.
 8. The NOC ofclaim 1, wherein the connection service provides a network address ofthe authenticated client device to the one of the plurality of serversproviding the selected service to facilitate establishing thebi-directional connection.
 9. A system for securely providing access todigital services from one of a plurality of servers to one of aplurality of client devices over a network, wherein each of the digitalservices is provided, at least in part, by generating data in a nativeformat to be articulated to a user via a respective client device, thesystem comprising: a network operating center (NOC) for authenticatingthe plurality of client devices, and for brokering a bi-directionalconnection between authenticated client devices requesting a digitalservice and a server providing the service; at least one first connectorcoupled to each of the plurality of servers, each of the at least oneconnector adapted to transform the data in the native format to a set ofrendering commands capable of instructing the client device connected tothe server how do render data on the client device such that the data inthe native format is not transferred over the bi-directional connectionor stored by the client device.
 10. The system of claim 9, wherein therendering commands include pixel information to be displayed on theclient device.
 11. The system of claim 9, wherein the data in the nativeformat includes text data and the rendering commands include pixelinformation representing the text data to be displayed on the clientdevice.
 12. The system of claim 9, wherein the at least one connectorreceives user inputs from the client device and converts the user inputsinto instructions on how to manipulate the data in the native format.13. The system of claim 9, wherein the data is in a native format of asoftware application located on the server, but not located on theclient device, and wherein the at least one connector converts the datainto rendering commands such that the client device can view the datawithout requiring the software application.
 14. The system of claim 9,wherein the rendering commands are formatted according to an interactiveformat, the system further comprising at least one second connectorcoupled to each of the client devices, the at least one second connectoradapted to convert user commands input on the client device to theinteractive format.
 15. The system of claim 14, wherein the at least onefirst connector is adapted to convert data from the client device in theinteractive format to modifications of the data in the native format.16. The system of claim 15, wherein the at least one second connector ispart of the respective client device.
 17. The system of claim 16,wherein the at least one second connector is located remotely from therespective client device, and operates as a proxy for the respectiveclient device.